[gnutls-devel] GnuTLS | DH and ECDH keys tests (!990)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri May 17 23:22:55 CEST 2019 



Stephan Mueller commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007

>  			goto dh_cleanup;
>  		}
>  
> +		/* if we have Q check that y ^ q mod p == 1 */
> +		if (q != NULL) {

Hi Nikos,

> Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/pk.c:
> https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171694887
> >  			goto dh_cleanup;
> >  	
> >  		}
> >
> > +		/* if we have Q check that y ^ q mod p == 1 */
> > +		if (q != NULL) {
>
> If we disable DHE in TLS1.2 there is no practical value from the new test
> using Q because this catches incorrect public keys, but only in the
> non-safe groups (SP800-56A acknowledges that). I'd expect the ACVP/CAVS
> tests to be different depending on whether `SP800-56A 5.6.2.2.2 case 1` or
> case (2) is claimed. Let's see what Stephan thinks on that.

The following is NOT yet official, but should guide your considerations.

We just had a discussion with the responsible persons within NIST defining the
crypto requirements. The following conclusion came out of the discussion that
yet needs to be poured into a FIPS IG.

- If we have Sophie-Germain primes, we must have a check of the remote key.
For TLS, you will always be able to get the Q from the communicated P ( Q = (P
- 1) / 2) ) or via a lookup-table.

- If you get a random prime via TLS, you can dispense with the remote key
check.

- We have to expect that the ACVP testing will be updated to allow testing of
DH with Sophie-Germain primes.

- For the existing ACVP testing providing a random prime, the key check must
be performed.


That said, the check above should be updated to check that P references a
Sophie-Germain prime and obtain Q if this is the case. Only if the Q value is
not found after that P lookup, the q != NULL is good.


Though, this solution is yet to be turned into an official statement. I expect
an official statement in the not too far future.

Until that happens, please leave the check in the code above for now.


Ciao
Stephan

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171709007
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190517/220c1029/attachment.html>

More information about the Gnutls-devel mailing list